Prerequisites to Create a Domain
Complete the prerequisites before you create a domain.
Create Policies for the Dynamic Group
Create policies in Oracle Cloud Infrastructure so that the compute instances in Oracle WebLogic Server for OKE with Verrazzano can access your encryption key.
When you create a stack with Verrazzano, depending on your custom setup, compute instances in Oracle WebLogic Server for OKE need to access specific components in Oracle Cloud Infrastructure.
Allow dynamic-group MyInstancesPrincipalGroup to inspect dns-zones in compartment id DNS_Zone_CompartmentID
Allow dynamic-group MyInstancesPrincipalGroup to use dns-zones in compartment id DNS_Zone_CompartmentID where target.dns-zone.id='<dns_zone_ocid>'
Allow dynamic-group MyInstancesPrincipalGroup to manage dns-records in compartment id DNS_Zone_CompartmentID where target.dns-zone.id='<dns_zone_ocid>'
Allow dynamic-group MyInstancesPrincipalGroup to inspect vcns in compartment id NetworkCompartmentID where target.vcn.id='<vcn_id>'
Allow dynamic-group MyInstancesPrincipalGroup to use dns-resolvers in compartment id NetworkCompartmentID where target.dns-resolver.display-name='<label_prefix-vcn>'
Allow dynamic-group MyInstancesPrincipalGroup to inspect dns-views in compartment id DNS_Zone_CompartmentID
Allow dynamic-group MyInstancesPrincipalGroup to read secret-bundles in tenancy where target.secret.id = '<custom_ca_cert_secret_ocid>'
Allow dynamic-group MyInstancesPrincipalGroup to read secret-bundles in tenancy where target.secret.id = '<custom_ca_signing_key_secret_ocid>'
Allow dynamic-group MyInstancesPrincipalGroup to manage repos in compartment id OCI_Identity_CompartmentID
See these topics in the Oracle Cloud Infrastructure documentation:
Validate Existing Network Setup
You can use helper scripts from the Oracle Cloud
Infrastructure Cloud shell to certify the existing network setup (existing VCN and existing WebLogic Server subnet) in Oracle WebLogic Server for
OKE. See Using Cloud Shell in Oracle Cloud
Infrastructure documentation.
The helper scripts perform the following validations and functions:
-
Validates if the service gateway or the NAT gateway is created for the administration instance private subnet and the worker nodes private subnets.
-
Validates if internet gateway is created for public bastion, file shared system and load balancer subnets.
-
Checks if port 22 in WebLogic Server Subnet is open for access to the CIDR of the bastion instance subnet or bastion host IP.
-
Checks if the private subnet for the Oracle WebLogic Server compute instances using the service gateway route rule has All <Region> Services In Oracle Services Network as the destination.
-
Checks if the existing subnet for the load balancer has a security list that enables inbound access to ports 80 and 443.
-
Validates if all protocols are open in private subnet for Kubernetes worker node for the Worker CIDR range.
-
Validates if all protocols are open in private subnet for Kubernetes worker node for the VCN CIDR range.
-
Validates if the file shared system has a security list that enables outbound access to ports 111 and 2048 (both TCP and UDP).
-
Validates if the database port is accessible from WebLogic Server subnets.
Using the Validation Script
You can run the helper scripts to perform validations for existing private subnets, existing public subnets, and existing VCN peered subnets.
validateoke.sh
. See Script File To Validate Network Setup to create the validateoke.sh
file.
validateoke.sh
command to check the existing WebLogic Server subnet
(and optionally database subnet) network setup when the required ports, gateways are
missing in the existing VCN and existing
subnets:example_user@cloudshell:~ (us-phoenix-1)$ ./validateoke.sh -b <Bastion Subnet OCID>
-a <Administration Host Subnet OCID> -w <Worker Subnet OCID> -f <File Shared System Subnet OCID>
-l <Load Balancer Subnet OCID>
ERROR: SSH port 22 is not open for access by [0.0.0.0/0] in <Bastion Subnet OCID>
WARNING: SSH port 22 is not open for access by Bastion Subnet CIDR [10.0.0.0/24] in private Admin Host Subnet [<Administration Host Subnet OCID>]
ERROR: Missing Service or NAT gateway in the VCN of the private ADMIN_SUBNET Host subnet ocid [<Administration Host Subnet OCID>]
WARNING: Missing internet gateway in the VCN of the BASTION_SUBNET subnet [<Bastion Subnet OCID>]
WARNING: Missing internet gateway in the VCN of the LB_SUBNET subnet [<Load Balancer Subnet OCID>]
WARNING: Missing internet gateway in the VCN of the FSS_SUBNET_OCID subnet [<File Shared System Subnet OCID>]
WARNING: For LB CIDR - Ports are not open in Workers Subnet CIDR 31474
WARNING: For LB CIDR - Ports are not open in Workers Subnet CIDR 10256
WARNING: For LB CIDR - Ports are not open in Workers Subnet CIDR 31804
WARNING: All Ports are not open for LB Subnet CIDR
WARNING: All Ports are not open for LB Subnet CIDR
WARNING: All Ports are not open for LB Subnet CIDR
ERROR: All Protocols are not open for WORKER's Subnet CIDR
ERROR: All Protocols are not open in WORKER's Subnet for VCN CIDR
ERROR: TCP -- 111 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2048 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2049 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2050 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 111 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2048 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2049 -- Port is not open in FSS Subnet for VCN CIDR
ERROR: TCP -- 2050 -- Port is not open in FSS Subnet for VCN CIDR